-= Per source details. Do not edit below this line.=-
The package exports a 发送邮件 (sendemail) function whose default sender, recipient, and SMTP auth code are hardcoded to the author's QQ account. In txdpy/发送邮件.py lines 14-17, senderemail defaults to '3215176932@qq.com', receiveremail defaults to 'xdsndy@qq.com', and password defaults to the embedded QQ SMTP authorization code. A caller invoking this documented API with the minimal signature (subject and body only) silently delivers their message content to the author's inbox via smtp.qq.com using the author's credentials — the API's advertised purpose (generic email sending) does not match its actual behavior (relaying to a fixed author-controlled mailbox). The function is re-exported from init.py, making it part of the package's public surface. Additionally, txdpy/翻译.py:18-20 ships the author's Baidu Translate API credentials (appid 20220712001270949 + secretkey) — author self-harm rather than installer harm, but corroborates a pattern of careless credential handling. A separate quality issue: pyndjs.py:74 evaluates os.popen('where node') as a function default argument, causing shell execution at import time.
{
"malicious-packages-origins": [
{
"versions": [
"2026.5"
],
"sha256": "767f0e720df9d2dd670fc9c607db01794649653be89daa42f01dfe34a69a8ecd",
"source": "amazon-inspector",
"modified_time": "2026-05-20T17:54:34Z",
"id": "IN-MAL-2026-003581",
"import_time": "2026-05-26T05:50:54.073724066Z"
}
]
}{
"package_integrity": [
{
"filename": "txdpy-2026.5-py3-none-any.whl",
"hashes": {
"sha256": "d15e1268b13116f914a1ce91610d8530bf1a2cac4ea364c139b5be7aba6ea920",
"md5": "26e1296dae3ecf1d0ca83bb8dd425faf",
"blake2b_256": "a4c00487cef669b5d71f50705b094932779228aead9662334183d583c8f4493e"
}
},
{
"filename": "txdpy-2026.5.tar.gz",
"hashes": {
"sha256": "f71b126a57a49ac63ee86dde08d976d659a4ddfdb00fa149a406eaeff3ae6fba",
"md5": "355f8d80f4729bd1327b9797430bc945",
"blake2b_256": "f2df556a3161181a4fb17421b7427a4489056d819bd11d477c3b5b3f67ab2dda"
}
}
],
"evidence_files": [
{
"sha256": "af4d7a0b645703f9d8a60f2363cf33d78c31e6f03348966f0b382b2320ae3af4",
"path": "txdpy/\u53d1\u9001\u90ae\u4ef6.py",
"tlsh": "f5219c056e9b2caf21fae187f416a404eadc10032a385664f4186e1e3f3be1722517ba"
},
{
"sha256": "38d29739be980985a1d2d86945efb0d81936054d3865706adcbcb84fb8ba6094",
"path": "txdpy/\u7ffb\u8bd1.py",
"tlsh": "1c118c219c26600590b1d52e62d67c14d03fe5025bd86f377b5dd51b1f7315939f8a4c"
},
{
"sha256": "3232898209de9a56fc49e0c1c73dc0d9f0fd920e1a3bb95505f98e924ece09e6",
"path": "txdpy/pyndjs.py",
"tlsh": "54c1a6057c663a2481b3ba251847090ae17d6bb388e870e9fbddc1e11f75c18427af7e"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/txdpy/MAL-2026-4772.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]